Risk concerns the expected value of one or more results of one or more future events. Technically, the value of those results may be positive or negative. However, general usage tends focus only on potential harm that may arise from a future event, which may accrue either from incurring a cost ("downside risk") or by failing to attain some benefit ("upside risk").
The term risk may be traced back to classical Greek rizikon (Greek ριζα, riza), meaning root, later used in Latin for cliff. The term is used in Homer’s Rhapsody M of Odyssey "Sirens, Scylla, Charybdee and the bulls of Helios (Sun)" Odysseus tried to save himself from Charybdee at the cliffs of Scylla, where his ship was destroyed by heavy seas generated by Zeus as a punishment for his crew killing before the bulls of Helios (the god of the sun), by grabbing the roots of a wild fig tree.
For the sociologist Niklas Luhmann the term 'risk' is a neologism which appeared with the transition from traditional to modern society. "In the Middle Ages the term riscium was used in highly specific contexts, above all sea trade and its ensuing legal problems of loss and damage." In the vernacular languages of the 16th century the words rischio and riezgo were used, both terms derived from the Arabic word "رزق", "rizk", meaning 'to seek prosperity'. This was introduced to continental Europe, through interaction with Middle Eastern and North African Arab traders. In the English language the term risk appeared only in the 17th century, and "seems to be imported from continental Europe." When the terminology of risk took ground, it replaced the older notion that thought "in terms of good and bad fortune." Niklas Luhmann (1996) seeks to explain this transition: "Perhaps, this was simply a loss of plausibility of the old rhetorics of Fortuna as an allegorical figure of religious content and of prudentia as a (noble) virtue in the emerging commercial society."
Scenario analysis matured during Cold War confrontations between major powers, notably the U.S. and the USSR. It became widespread in insurance circles in the 1970s when major oil tanker disasters forced a more comprehensive foresight. The scientific approach to risk entered finance in the 1980s when financial derivatives proliferated. It reached general professions in the 1990s when the power of personal computing allowed for widespread data collection and numerical analysis.
Governments are using it, for example, to set standards for environmental regulation, e.g. "pathway analysis" as practiced by the United States Environmental Protection Agency.
Definitions of risk
There are many definitions of risk that vary by specific application and situational context. The widely inconsistent and ambiguous use of the word is one of several current criticisms of the methods to manage risk.
One set of definitions present risk simply as future issues which can be avoided or mitigated, rather than present problems that must be immediately addressed. E.g. "Risk is the unwanted subset of a set of uncertain outcomes." (Cornelius Keating)
More formally (and quantitatively), risk is proportional to both the results expected from an event and to the probability of this event. E.g. "Risk is a combination of the likelihood of an occurrence of a hazardous event or exposure(s) and the severity of injury or ill health that can be caused by the event or exposure(s)" (OHSAS 18001:2007). Mathematically, risk often simply defined as
Or more generally,
One of the first major uses of this concept was at the planning of the Delta Works in 1953, a flood protection program in the Netherlands, with the aid of the mathematician David van Dantzig. The kind of risk analysis pioneered here has become common today in fields like nuclear power, aerospace and chemical industry.
There are more sophisticated definitions, however. Measuring engineering risk is often difficult, especially in potentially dangerous industries such as nuclear energy. Often, the probability of a negative event is estimated by using the frequency of past similar events or by event-tree methods, but probabilities for rare failures may be difficult to estimate if an event tree cannot be formulated. Methods to calculate the cost of the loss of human life vary depending on the purpose of the calculation. Specific methods include what people are willing to pay to insure against death, and radiological release (e.g., GBq of radio-iodine). There are many formal methods used to assess or to "measure" risk, considered as one of the critical indicators important for human decision making.
Financial risk is often defined as the unexpected variability or volatility of returns and thus includes both potential worse-than-expected as well as better-than-expected returns. References to negative risk below should be read as applying to positive impacts or opportunity (e.g., for "loss" read "loss or gain") unless the context precludes.
In statistics, risk is often mapped to the probability of some event which is seen as undesirable. Usually, the probability of that event and some assessment of its expected harm must be combined into a believable scenario (an outcome), which combines the set of risk, regret and reward probabilities into an expected value for that outcome. (See also Expected utility.)
In information security, a risk is written as an asset, the threats to the asset and the vulnerability that can be exploited by the threats to impact the asset - an example being: Our desktop computers (asset) can be compromised by malware (threat) entering the environment as an email attachment (vulnerability).
The risk is then assessed as a function of three variables:
- the probability that there is a threat
- the probability that there are any vulnerabilities
- the potential impact to the business.
The two probabilities are sometimes combined and are also known as likelihood. If any of these variables approaches zero, the overall risk approaches zero. The management of actuarial risk is called risk management.